Re: nslcd feature request (combined pam_authz_search)
[
Date Prev][
Date Next]
[
Thread Prev][
Thread Next]
Re: nslcd feature request (combined pam_authz_search)
- From: Arthur de Jong <arthur [at] arthurdejong.org>
- To: nss-pam-ldapd-users <nss-pam-ldapd-users [at] lists.arthurdejong.org>
- Subject: Re: nslcd feature request (combined pam_authz_search)
- Date: Mon, 23 Apr 2012 20:44:04 +0200
On Mon, 2012-04-23 at 21:53 +0400, Lior Goikhburg wrote:
> Here is a situation: I need to perform two different searches before
> authenticating a user:
> * a user object should have a attribute "host" set to the $hostname of
> the machine
> * a host object of $hostname shoud have an attribute "mode" set to
> "active"
>
> It would be possible if I could specify more than one pam_authz_search
> parameter in nslcd.conf file.
>
> A possible config block could look like this:
>
> pam_authz_search
> (&(objectClass=posixAccount)(uid=$username)(|(host=$host)(host=$fqdn)))
> pam_authz_search (&(objectClass=server)(mode=active))
> satisfy any
>
> Any thoughts ?
It sounds interesting but I personally don't like the satisfy any syntax
much (Apache ACL's are a bit too complex for my taste).
Anyway, you can already accomplish the above, if it is OK if either of
the searches return any results, with the following:
pam_authz_search
(|(&(objectClass=posixAccount)(uid=$username)(|(host=$host)(host=$fqdn)))(&(objectClass=server)(mode=active)))
Also note that you can use objectClass=$hostname instead of
objectClass=server.
--
-- arthur - arthur@arthurdejong.org - http://arthurdejong.org --
--
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-users/
